// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.cloud.asset.v1;
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/orgpolicy/v1/orgpolicy.proto";
import "google/cloud/osconfig/v1/inventory.proto";
import "google/iam/v1/policy.proto";
import "google/identity/accesscontextmanager/v1/access_level.proto";
import "google/identity/accesscontextmanager/v1/access_policy.proto";
import "google/identity/accesscontextmanager/v1/service_perimeter.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "google/rpc/code.proto";
option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Asset.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1;asset";
option java_multiple_files = true;
option java_outer_classname = "AssetProto";
option java_package = "com.google.cloud.asset.v1";
option php_namespace = "Google\\Cloud\\Asset\\V1";
// An asset in Google Cloud and its temporal metadata, including the time window
// when it was observed and its status during that window.
message TemporalAsset {
// State of prior asset.
enum PriorAssetState {
// prior_asset is not applicable for the current asset.
PRIOR_ASSET_STATE_UNSPECIFIED = 0;
// prior_asset is populated correctly.
PRESENT = 1;
// Failed to set prior_asset.
INVALID = 2;
// Current asset is the first known state.
DOES_NOT_EXIST = 3;
// prior_asset is a deletion.
DELETED = 4;
}
// The time window when the asset data and state was observed.
TimeWindow window = 1;
// Whether the asset has been deleted or not.
bool deleted = 2;
// An asset in Google Cloud.
Asset asset = 3;
// State of prior_asset.
PriorAssetState prior_asset_state = 4;
// Prior copy of the asset. Populated if prior_asset_state is PRESENT.
// Currently this is only set for responses in Real-Time Feed.
Asset prior_asset = 5;
}
// A time window specified by its `start_time` and `end_time`.
message TimeWindow {
// Start time of the time window (exclusive).
google.protobuf.Timestamp start_time = 1;
// End time of the time window (inclusive). If not specified, the current
// timestamp is used instead.
google.protobuf.Timestamp end_time = 2;
}
// An asset in Google Cloud. An asset can be any resource in the Google Cloud
// [resource
// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
// a resource outside the Google Cloud resource hierarchy (such as Google
// Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy),
// or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP relationship).
// See [Supported asset
// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
// for more information.
message Asset {
option (google.api.resource) = {
type: "cloudasset.googleapis.com/Asset"
pattern: "*"
};
// The last update timestamp of an asset. update_time is updated when
// create/update/delete operation is performed.
google.protobuf.Timestamp update_time = 11;
// The full name of the asset. Example:
// `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
//
// See [Resource
// names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
// for more information.
string name = 1;
// The type of the asset. Example: `compute.googleapis.com/Disk`
//
// See [Supported asset
// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
// for more information.
string asset_type = 2;
// A representation of the resource.
Resource resource = 3;
// A representation of the Cloud IAM policy set on a Google Cloud resource.
// There can be a maximum of one Cloud IAM policy set on any given resource.
// In addition, Cloud IAM policies inherit their granted access scope from any
// policies set on parent resources in the resource hierarchy. Therefore, the
// effectively policy is the union of both the policy set on this resource
// and each policy set on all of the resource's ancestry resource levels in
// the hierarchy. See
// [this topic](https://cloud.google.com/iam/help/allow-policies/inheritance)
// for more information.
google.iam.v1.Policy iam_policy = 4;
// A representation of an [organization
// policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).
// There can be more than one organization policy with different constraints
// set on a given resource.
repeated google.cloud.orgpolicy.v1.Policy org_policy = 6;
// A representation of an [access
// policy](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
oneof access_context_policy {
// Please also refer to the [access policy user
// guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 7;
// Please also refer to the [access level user
// guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).
google.identity.accesscontextmanager.v1.AccessLevel access_level = 8;
// Please also refer to the [service perimeter user
// guide](https://cloud.google.com/vpc-service-controls/docs/overview).
google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9;
}
// A representation of runtime OS Inventory information. See [this
// topic](https://cloud.google.com/compute/docs/instances/os-inventory-management)
// for more information.
google.cloud.osconfig.v1.Inventory os_inventory = 12;
// DEPRECATED. This field only presents for the purpose of
// backward-compatibility. The server will never generate responses with this
// field.
// The related assets of the asset of one relationship type. One asset
// only represents one type of relationship.
RelatedAssets related_assets = 13 [deprecated = true];
// One related asset of the current asset.
RelatedAsset related_asset = 15;
// The ancestry path of an asset in Google Cloud [resource
// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
// represented as a list of relative resource names. An ancestry path starts
// with the closest ancestor in the hierarchy and ends at root. If the asset
// is a project, folder, or organization, the ancestry path starts from the
// asset itself.
//
// Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
repeated string ancestors = 10;
}
// A representation of a Google Cloud resource.
message Resource {
// The API version. Example: `v1`
string version = 1;
// The URL of the discovery document containing the resource's JSON schema.
// Example:
// `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest`
//
// This value is unspecified for resources that do not have an API based on a
// discovery document, such as Cloud Bigtable.
string discovery_document_uri = 2;
// The JSON schema name listed in the discovery document. Example:
// `Project`
//
// This value is unspecified for resources that do not have an API based on a
// discovery document, such as Cloud Bigtable.
string discovery_name = 3;
// The REST URL for accessing the resource. An HTTP `GET` request using this
// URL returns the resource itself. Example:
// `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`
//
// This value is unspecified for resources without a REST API.
string resource_url = 4;
// The full name of the immediate parent of this resource. See
// [Resource
// Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
// for more information.
//
// For Google Cloud assets, this value is the parent resource defined in the
// [Cloud IAM policy
// hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
// Example:
// `//cloudresourcemanager.googleapis.com/projects/my_project_123`
//
// For third-party assets, this field may be set differently.
string parent = 5;
// The content of the resource, in which some sensitive fields are removed
// and may not be present.
google.protobuf.Struct data = 6;
// The location of the resource in Google Cloud, such as its zone and region.
// For more information, see https://cloud.google.com/about/locations/.
string location = 8;
}
// DEPRECATED. This message only presents for the purpose of
// backward-compatibility. The server will never populate this message in
// responses.
// The detailed related assets with the `relationship_type`.
message RelatedAssets {
option deprecated = true;
// The detailed relationship attributes.
RelationshipAttributes relationship_attributes = 1;
// The peer resources of the relationship.
repeated RelatedAsset assets = 2;
}
// DEPRECATED. This message only presents for the purpose of
// backward-compatibility. The server will never populate this message in
// responses.
// The relationship attributes which include `type`, `source_resource_type`,
// `target_resource_type` and `action`.
message RelationshipAttributes {
option deprecated = true;
// The unique identifier of the relationship type. Example:
// `INSTANCE_TO_INSTANCEGROUP`
string type = 4;
// The source asset type. Example: `compute.googleapis.com/Instance`
string source_resource_type = 1;
// The target asset type. Example: `compute.googleapis.com/Disk`
string target_resource_type = 2;
// The detail of the relationship, e.g. `contains`, `attaches`
string action = 3;
}
// An asset identifier in Google Cloud which contains its name, type and
// ancestors. An asset can be any resource in the Google Cloud [resource
// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
// a resource outside the Google Cloud resource hierarchy (such as Google
// Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).
// See [Supported asset
// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
// for more information.
message RelatedAsset {
// The full name of the asset. Example:
// `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
//
// See [Resource
// names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
// for more information.
string asset = 1 [(google.api.resource_reference) = {
type: "cloudasset.googleapis.com/Asset"
}];
// The type of the asset. Example: `compute.googleapis.com/Disk`
//
// See [Supported asset
// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
// for more information.
string asset_type = 2;
// The ancestors of an asset in Google Cloud [resource
// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
// represented as a list of relative resource names. An ancestry path starts
// with the closest ancestor in the hierarchy and ends at root.
//
// Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
repeated string ancestors = 3;
// The unique identifier of the relationship type. Example:
// `INSTANCE_TO_INSTANCEGROUP`
string relationship_type = 4;
}
// A result of Resource Search, containing information of a cloud resource.
// Next ID: 31
message ResourceSearchResult {
// The full resource name of this resource. Example:
// `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
// See [Cloud Asset Inventory Resource Name
// Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
// for more information.
//
// To search against the `name`:
//
// * Use a field query. Example: `name:instance1`
// * Use a free text query. Example: `instance1`
string name = 1;
// The type of this resource. Example: `compute.googleapis.com/Disk`.
//
// To search against the `asset_type`:
//
// * Specify the `asset_type` field in your search request.
string asset_type = 2;
// The project that this resource belongs to, in the form of
// projects/{PROJECT_NUMBER}. This field is available when the resource
// belongs to a project.
//
// To search against `project`:
//
// * Use a field query. Example: `project:12345`
// * Use a free text query. Example: `12345`
// * Specify the `scope` field as this project in your search request.
string project = 3;
// The folder(s) that this resource belongs to, in the form of
// folders/{FOLDER_NUMBER}. This field is available when the resource
// belongs to one or more folders.
//
// To search against `folders`:
//
// * Use a field query. Example: `folders:(123 OR 456)`
// * Use a free text query. Example: `123`
// * Specify the `scope` field as this folder in your search request.
repeated string folders = 17;
// The organization that this resource belongs to, in the form of
// organizations/{ORGANIZATION_NUMBER}. This field is available when the
// resource belongs to an organization.
//
// To search against `organization`:
//
// * Use a field query. Example: `organization:123`
// * Use a free text query. Example: `123`
// * Specify the `scope` field as this organization in your search request.
string organization = 18;
// The display name of this resource. This field is available only when the
// resource's Protobuf contains it.
//
// To search against the `display_name`:
//
// * Use a field query. Example: `displayName:"My Instance"`
// * Use a free text query. Example: `"My Instance"`
string display_name = 4;
// One or more paragraphs of text description of this resource. Maximum length
// could be up to 1M bytes. This field is available only when the resource's
// Protobuf contains it.
//
// To search against the `description`:
//
// * Use a field query. Example: `description:"important instance"`
// * Use a free text query. Example: `"important instance"`
string description = 5;
// Location can be `global`, regional like `us-east1`, or zonal like
// `us-west1-b`. This field is available only when the resource's Protobuf
// contains it.
//
// To search against the `location`:
//
// * Use a field query. Example: `location:us-west*`
// * Use a free text query. Example: `us-west*`
string location = 6;
// Labels associated with this resource. See [Labelling and grouping GCP
// resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
// for more information. This field is available only when the resource's
// Protobuf contains it.
//
// To search against the `labels`:
//
// * Use a field query:
// - query on any label's key or value. Example: `labels:prod`
// - query by a given label. Example: `labels.env:prod`
// - query by a given label's existence. Example: `labels.env:*`
// * Use a free text query. Example: `prod`
map<string, string> labels = 7;
// Network tags associated with this resource. Like labels, network tags are a
// type of annotations used to group GCP resources. See [Labelling GCP
// resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
// for more information. This field is available only when the resource's
// Protobuf contains it.
//
// To search against the `network_tags`:
//
// * Use a field query. Example: `networkTags:internal`
// * Use a free text query. Example: `internal`
repeated string network_tags = 8;
// The Cloud KMS
// [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)
// name or
// [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions)
// name.
//
// This field only presents for the purpose of backward compatibility. Please
// use the `kms_keys` field to retrieve KMS key information. This field is
// available only when the resource's Protobuf contains it and will only be
// populated for [these resource
// types](https://cloud.google.com/asset-inventory/docs/legacy-field-names#resource_types_with_the_to_be_deprecated_kmskey_field)
// for backward compatible purposes.
//
// To search against the `kms_key`:
//
// * Use a field query. Example: `kmsKey:key`
// * Use a free text query. Example: `key`
string kms_key = 10 [deprecated = true];
// The Cloud KMS
// [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)
// names or
// [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions)
// names. This field is available only when the resource's Protobuf contains
// it.
//
// To search against the `kms_keys`:
//
// * Use a field query. Example: `kmsKeys:key`
// * Use a free text query. Example: `key`
repeated string kms_keys = 28;
// The create timestamp of this resource, at which the resource was created.
// The granularity is in seconds. Timestamp.nanos will always be 0. This field
// is available only when the resource's Protobuf contains it.
//
// To search against `create_time`:
//
// * Use a field query.
// - value in seconds since unix epoch. Example: `createTime > 1609459200`
// - value in date string. Example: `createTime > 2021-01-01`
// - value in date-time string (must be quoted). Example: `createTime >
// "2021-01-01T00:00:00"`
google.protobuf.Timestamp create_time = 11;
// The last update timestamp of this resource, at which the resource was last
// modified or deleted. The granularity is in seconds. Timestamp.nanos will
// always be 0. This field is available only when the resource's Protobuf
// contains it.
//
// To search against `update_time`:
//
// * Use a field query.
// - value in seconds since unix epoch. Example: `updateTime < 1609459200`
// - value in date string. Example: `updateTime < 2021-01-01`
// - value in date-time string (must be quoted). Example: `updateTime <
// "2021-01-01T00:00:00"`
google.protobuf.Timestamp update_time = 12;
// The state of this resource. Different resources types have different state
// definitions that are mapped from various fields of different resource
// types. This field is available only when the resource's Protobuf contains
// it.
//
// Example:
// If the resource is an instance provided by Compute Engine,
// its state will include PROVISIONING, STAGING, RUNNING, STOPPING,
// SUSPENDING, SUSPENDED, REPAIRING, and TERMINATED. See `status` definition
// in [API
// Reference](https://cloud.google.com/compute/docs/reference/rest/v1/instances).
// If the resource is a project provided by Cloud Resource Manager, its state
// will include LIFECYCLE_STATE_UNSPECIFIED, ACTIVE, DELETE_REQUESTED and
// DELETE_IN_PROGRESS. See `lifecycleState` definition in [API
// Reference](https://cloud.google.com/resource-manager/reference/rest/v1/projects).
//
// To search against the `state`:
//
// * Use a field query. Example: `state:RUNNING`
// * Use a free text query. Example: `RUNNING`
string state = 13;
// The additional searchable attributes of this resource. The attributes may
// vary from one resource type to another. Examples: `projectId` for Project,
// `dnsName` for DNS ManagedZone. This field contains a subset of the resource
// metadata fields that are returned by the List or Get APIs provided by the
// corresponding GCP service (e.g., Compute Engine). see [API references and
// supported searchable
// attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types)
// to see which fields are included.
//
// You can search values of these fields through free text search. However,
// you should not consume the field programically as the field names and
// values may change as the GCP service updates to a new incompatible API
// version.
//
// To search against the `additional_attributes`:
//
// * Use a free text query to match the attributes values. Example: to search
// `additional_attributes = { dnsName: "foobar" }`, you can issue a query
// `foobar`.
google.protobuf.Struct additional_attributes = 9;
// The full resource name of this resource's parent, if it has one.
// To search against the `parent_full_resource_name`:
//
// * Use a field query. Example:
// `parentFullResourceName:"project-name"`
// * Use a free text query. Example:
// `project-name`
string parent_full_resource_name = 19;
// Versioned resource representations of this resource. This is repeated
// because there could be multiple versions of resource representations during
// version migration.
//
// This `versioned_resources` field is not searchable. Some attributes of the
// resource representations are exposed in `additional_attributes` field, so
// as to allow users to search on them.
repeated VersionedResource versioned_resources = 16;
// Attached resources of this resource. For example, an OSConfig
// Inventory is an attached resource of a Compute Instance. This field is
// repeated because a resource could have multiple attached resources.
//
// This `attached_resources` field is not searchable. Some attributes
// of the attached resources are exposed in `additional_attributes` field, so
// as to allow users to search on them.
repeated AttachedResource attached_resources = 20;
// A map of related resources of this resource, keyed by the
// relationship type. A relationship type is in the format of
// {SourceType}_{ACTION}_{DestType}. Example: `DISK_TO_INSTANCE`,
// `DISK_TO_NETWORK`, `INSTANCE_TO_INSTANCEGROUP`.
// See [supported relationship
// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_relationship_types).
map<string, RelatedResources> relationships = 21;
// TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}.
// To search against the `tagKeys`:
//
// * Use a field query. Example:
// - `tagKeys:"123456789/env*"`
// - `tagKeys="123456789/env"`
// - `tagKeys:"env"`
//
// * Use a free text query. Example:
// - `env`
repeated string tag_keys = 23;
// TagValue namespaced names, in the format of
// {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}.
// To search against the `tagValues`:
//
// * Use a field query. Example:
// - `tagValues:"env"`
// - `tagValues:"env/prod"`
// - `tagValues:"123456789/env/prod*"`
// - `tagValues="123456789/env/prod"`
//
// * Use a free text query. Example:
// - `prod`
repeated string tag_values = 25;
// TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}.
// To search against the `tagValueIds`:
//
// * Use a field query. Example:
// - `tagValueIds:"456"`
// - `tagValueIds="tagValues/456"`
//
// * Use a free text query. Example:
// - `456`
repeated string tag_value_ids = 26;
// The type of this resource's immediate parent, if there is one.
//
// To search against the `parent_asset_type`:
//
// * Use a field query. Example:
// `parentAssetType:"cloudresourcemanager.googleapis.com/Project"`
// * Use a free text query. Example:
// `cloudresourcemanager.googleapis.com/Project`
string parent_asset_type = 103;
}
// Resource representation as defined by the corresponding service providing the
// resource for a given API version.
message VersionedResource {
// API version of the resource.
//
// Example:
// If the resource is an instance provided by Compute Engine v1 API as defined
// in `https://cloud.google.com/compute/docs/reference/rest/v1/instances`,
// version will be "v1".
string version = 1;
// JSON representation of the resource as defined by the corresponding
// service providing this resource.
//
// Example:
// If the resource is an instance provided by Compute Engine, this field will
// contain the JSON representation of the instance as defined by Compute
// Engine:
// `https://cloud.google.com/compute/docs/reference/rest/v1/instances`.
//
// You can find the resource definition for each supported resource type in
// this table:
// `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
google.protobuf.Struct resource = 2;
}
// Attached resource representation, which is defined by the corresponding
// service provider. It represents an attached resource's payload.
message AttachedResource {
// The type of this attached resource.
//
// Example: `osconfig.googleapis.com/Inventory`
//
// You can find the supported attached asset types of each resource in this
// table:
// `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
string asset_type = 1;
// Versioned resource representations of this attached resource. This is
// repeated because there could be multiple versions of the attached resource
// representations during version migration.
repeated VersionedResource versioned_resources = 3;
}
// The related resources of the primary resource.
message RelatedResources {
// The detailed related resources of the primary resource.
repeated RelatedResource related_resources = 1;
}
// The detailed related resource.
message RelatedResource {
// The type of the asset. Example: `compute.googleapis.com/Instance`
string asset_type = 1;
// The full resource name of the related resource. Example:
// `//compute.googleapis.com/projects/my_proj_123/zones/instance/instance123`
string full_resource_name = 2;
}
// A result of IAM Policy search, containing information of an IAM policy.
message IamPolicySearchResult {
// Explanation about the IAM policy search result.
message Explanation {
// IAM permissions
message Permissions {
// A list of permissions. A sample permission string: `compute.disk.get`.
repeated string permissions = 1;
}
// The map from roles to their included permissions that match the
// permission query (i.e., a query containing `policy.role.permissions:`).
// Example: if query `policy.role.permissions:compute.disk.get`
// matches a policy binding that contains owner role, the
// matched_permissions will be `{"roles/owner": ["compute.disk.get"]}`. The
// roles can also be found in the returned `policy` bindings. Note that the
// map is populated only for requests with permission queries.
map<string, Permissions> matched_permissions = 1;
}
// The full resource name of the resource associated with this IAM policy.
// Example:
// `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
// See [Cloud Asset Inventory Resource Name
// Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
// for more information.
//
// To search against the `resource`:
//
// * use a field query. Example: `resource:organizations/123`
string resource = 1;
// The type of the resource associated with this IAM policy. Example:
// `compute.googleapis.com/Disk`.
//
// To search against the `asset_type`:
//
// * specify the `asset_types` field in your search request.
string asset_type = 5;
// The project that the associated GCP resource belongs to, in the form of
// projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM
// instance, Cloud Storage bucket), the project field will indicate the
// project that contains the resource. If an IAM policy is set on a folder or
// orgnization, this field will be empty.
//
// To search against the `project`:
//
// * specify the `scope` field as this project in your search request.
string project = 2;
// The folder(s) that the IAM policy belongs to, in the form of
// folders/{FOLDER_NUMBER}. This field is available when the IAM policy
// belongs to one or more folders.
//
// To search against `folders`:
//
// * use a field query. Example: `folders:(123 OR 456)`
// * use a free text query. Example: `123`
// * specify the `scope` field as this folder in your search request.
repeated string folders = 6;
// The organization that the IAM policy belongs to, in the form
// of organizations/{ORGANIZATION_NUMBER}. This field is available when the
// IAM policy belongs to an organization.
//
// To search against `organization`:
//
// * use a field query. Example: `organization:123`
// * use a free text query. Example: `123`
// * specify the `scope` field as this organization in your search request.
string organization = 7;
// The IAM policy directly set on the given resource. Note that the original
// IAM policy can contain multiple bindings. This only contains the bindings
// that match the given query. For queries that don't contain a constrain on
// policies (e.g., an empty query), this contains all the bindings.
//
// To search against the `policy` bindings:
//
// * use a field query:
// - query by the policy contained members. Example:
// `policy:amy@gmail.com`
// - query by the policy contained roles. Example:
// `policy:roles/compute.admin`
// - query by the policy contained roles' included permissions. Example:
// `policy.role.permissions:compute.instances.create`
google.iam.v1.Policy policy = 3;
// Explanation about the IAM policy search result. It contains additional
// information to explain why the search result matches the query.
Explanation explanation = 4;
}
// Represents the detailed state of an entity under analysis, such as a
// resource, an identity or an access.
message IamPolicyAnalysisState {
// The Google standard error code that best describes the state.
// For example:
// - OK means the analysis on this entity has been successfully finished;
// - PERMISSION_DENIED means an access denied error is encountered;
// - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started
// in time;
google.rpc.Code code = 1;
// The human-readable description of the cause of failure.
string cause = 2;
}
// The Condition evaluation.
message ConditionEvaluation {
// Value of this expression.
enum EvaluationValue {
// Reserved for future use.
EVALUATION_VALUE_UNSPECIFIED = 0;
// The evaluation result is `true`.
TRUE = 1;
// The evaluation result is `false`.
FALSE = 2;
// The evaluation result is `conditional` when the condition expression
// contains variables that are either missing input values or have not been
// supported by Analyzer yet.
CONDITIONAL = 3;
}
// The evaluation result.
EvaluationValue evaluation_value = 1;
}
// IAM Policy analysis result, consisting of one IAM policy binding and derived
// access control lists.
message IamPolicyAnalysisResult {
// A Google Cloud resource under analysis.
message Resource {
// The [full resource
// name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
string full_resource_name = 1;
// The analysis state of this resource.
IamPolicyAnalysisState analysis_state = 2;
}
// An IAM role or permission under analysis.
message Access {
oneof oneof_access {
// The role.
string role = 1;
// The permission.
string permission = 2;
}
// The analysis state of this access.
IamPolicyAnalysisState analysis_state = 3;
}
// An identity under analysis.
message Identity {
// The identity name in any form of members appear in
// [IAM policy
// binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
// as:
// - user:foo@google.com
// - group:group1@google.com
// - serviceAccount:s1@prj1.iam.gserviceaccount.com
// - projectOwner:some_project_id
// - domain:google.com
// - allUsers
// - etc.
string name = 1;
// The analysis state of this identity.
IamPolicyAnalysisState analysis_state = 2;
}
// A directional edge.
message Edge {
// The source node of the edge. For example, it could be a full resource
// name for a resource node or an email of an identity.
string source_node = 1;
// The target node of the edge. For example, it could be a full resource
// name for a resource node or an email of an identity.
string target_node = 2;
}
// An access control list, derived from the above IAM policy binding, which
// contains a set of resources and accesses. May include one
// item from each set to compose an access control entry.
//
// NOTICE that there could be multiple access control lists for one IAM policy
// binding. The access control lists are created based on resource and access
// combinations.
//
// For example, assume we have the following cases in one IAM policy binding:
// - Permission P1 and P2 apply to resource R1 and R2;
// - Permission P3 applies to resource R2 and R3;
//
// This will result in the following access control lists:
// - AccessControlList 1: [R1, R2], [P1, P2]
// - AccessControlList 2: [R2, R3], [P3]
message AccessControlList {
// The resources that match one of the following conditions:
// - The resource_selector, if it is specified in request;
// - Otherwise, resources reachable from the policy attached resource.
repeated Resource resources = 1;
// The accesses that match one of the following conditions:
// - The access_selector, if it is specified in request;
// - Otherwise, access specifiers reachable from the policy binding's role.
repeated Access accesses = 2;
// Resource edges of the graph starting from the policy attached
// resource to any descendant resources. The [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] contains
// the full resource name of a parent resource and [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node]
// contains the full resource name of a child resource. This field is
// present only if the output_resource_edges option is enabled in request.
repeated Edge resource_edges = 3;
// Condition evaluation for this AccessControlList, if there is a condition
// defined in the above IAM policy binding.
ConditionEvaluation condition_evaluation = 4;
}
// The identities and group edges.
message IdentityList {
// Only the identities that match one of the following conditions will be
// presented:
// - The identity_selector, if it is specified in request;
// - Otherwise, identities reachable from the policy binding's members.
repeated Identity identities = 1;
// Group identity edges of the graph starting from the binding's
// group members to any node of the [identities][google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList.identities]. The [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node]
// contains a group, such as `group:parent@google.com`. The
// [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] contains a member of the group,
// such as `group:child@google.com` or `user:foo@google.com`.
// This field is present only if the output_group_edges option is enabled in
// request.
repeated Edge group_edges = 2;
}
// The [full resource
// name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
// of the resource to which the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] policy attaches.
string attached_resource_full_name = 1;
// The Cloud IAM policy binding under analysis.
google.iam.v1.Binding iam_binding = 2;
// The access control lists derived from the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] that match or
// potentially match resource and access selectors specified in the request.
repeated AccessControlList access_control_lists = 3;
// The identity list derived from members of the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] that match or
// potentially match identity selector specified in the request.
IdentityList identity_list = 4;
// Represents whether all analyses on the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] have successfully
// finished.
bool fully_explored = 5;
}